Stash file problems

Edward Murrell edward at dlconsulting.com
Mon Feb 12 16:21:11 EST 2007 

Ah ha. This was my fault. As it turns out, I had funky cross realm
authentication going on because I was moving from one realm to another.
The master KDC at one point had had two KDC's running on it, and the
default realm in krb5.conf was set to the old realm, this had worked for
a while, because the old realm understood the new realm.

Anyway, this fix was to have the correct realm in krb5.conf.

Regards
Edward

Edward Murrell wrote:
> Hi all,
>
> I've run into some problems with a KDC slave that's started giving me
> grief out of the blue.
>
> System (bender) is Debian testing, x86. Krb5 packages are all 1.4.4-6.
>
> The master KDC (becks) is Ubuntu 6.06 (LTS) running KRB5, with Krb5
> packages 1.4.3-5ubuntu0.2. The master KDC also feeds another slave KDC
> (vulcan) also running Ubuntu 6.06 with KRB5 1.4.3-5ubuntu0.2.
>
> --
>
> The slave KDC (bender) was working perfectly. The KDC appears to have
> fallen over without any warning whatsoever. I can still login via GSSAPI
> on SSH, and if I disable the local KDC, it defaults to one of the
> backups, and everything works perfectly, so it's not the local libraries.
>
> The following appears in the kdc.log
>
> Feb 12 08:43:15 bender krb5kdc[15900](info): AS_REQ (3 etypes {16 1 3})
> 69.60.121.195: NEEDED_PREAUTH: edward at DLCONSULTING.COM for
> krbtgt/DLCONSULTING.COM at DLCONSULTING.COM, Additional pre-authentication
> required
> Feb 12 08:43:15 bender krb5kdc[15900](info): AS_REQ (3 etypes {16 1 3})
> 69.60.121.195: ISSUE: authtime 1171222995, etypes {rep=16 tkt=16
> ses=16}, edward at DLCONSULTING.COM for
> krbtgt/DLCONSULTING.COM at DLCONSULTING.COM
>
> Feb 12 16:10:17 bender krb5kdc[15900](info): AS_REQ (3 etypes {16 1 3})
> 69.60.121.195: CLIENT_NOT_FOUND: edward at DLCONSULTING.COM for
> krbtgt/DLCONSULTING.COM at DLCONSULTING.COM, Client not found in Kerberos
> database
>
> So it's working, and then eight hours later, my principal doesn't exist
> anymore!
>
> Since then, I've reinstalled the krb5-kdc packages and their supporting
> libraries, just in case.
>
> Now, when I try to recreate the stash key I get the following error;
>
> bender:/etc/krb5kdc# kdb5_util stash -f /etc/krb5kdc/stash
> kdb5_util: No such entry in the database while retrieving master entry
>
> I've tried forcing the database to be propergated from the master
> (successfully), and creating the stash key manually and copying it from
> the master. When I do this, and try to start the KDC, I get the
> following error;
>
> krb5kdc: Cannot find master key record in database - while verifying
> master key for realm DLCONSULTING.COM
>
> So now I'm confused. This should work. Anyone got any ideas?
>
> Cheers
> Edward
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list